If you can’t fly, then run, if you can’t walk run, then walk, if you can’t walk, then crawl, but by all means keep moving.
– Martin Luther King Jr.
Business Problem
Most organizations have implemented data activity monitoring solutions to monitor and report on user activities accessing various data sources. Data activity monitoring solutions have proven to be instrumental in meeting regulatory challenges but the significant investments are not translating into visible benefits for Cybersecurity or are effectively communicating the underlying business value.
While these implementations pass the compliance ‘check-marks’, the basic questions still remain: Are we more secure than we were before, especially, when unauthorized data manipulation & data exfiltration is becoming the crux of increased Cyber-attacks. Are we monitoring enough or too much? and most of all, are we protecting our business critical assets?
Majority of the implementations are plagued with noise due to high number of false positives, manual work arounds and broken processes. Justification for additional investments to mature these implementations are often met with cynicism in the light of already sky-rocketing operational management costs.
And why is that?
Data activity monitoring solutions such as Guardium easily meet compliance and data security needs. Yet very often, Cyber use cases are not considered even though the platform was designed for them:
- The bottom-up approach (with some level of ‘initial’ business sponsorship) are handled on an ad-hoc basis without a tiered strategy. The One-size fit all approach fails to consider data classification policies, its usage within the business context, and business risk/impact due to data loss
- Business memory is short. Cyber teams often struggle to effectively communicate the value of incremental investments in security in language that businesses can understand thereby, giving a false impression of security. Also, not every business has the maturity or the knowledge of cyber threats or risks. As a result, businesses are shifting their focus to other competing priorities
- Very few organizations have integrated data activity reports into their Security Operations Center (SoC). The fragmented and silo-ed approach ends up creating data security blind-spots. Organizations that have gone down the path to integrate DB Ops with SoC are suffering from process inefficiencies due to increased false positives, broken workflows, unclarified accountabilities and lack of standard operating procedures
- The same issues carry into the new world of cloud, which is augmented by the lack of cloud readiness, and skills required for protecting data in the cloud
- All these challenges are further amplified by vendors’ inability to keep up the pace and evolve their product roadmaps to meet the emerging needs of the 21st century business.
The punch line
Data Protection Strategies see more success when
driven top-down and
implemented bottom-up; starting with understanding of the business risks that takes into account the threats, vulnerabilities and the risk tolerance for abnormalities.
- Cyber and business teams should collaboratively identify and prioritize the risk scenarios for data activity monitoring (ex. Threat-Risk Matrix) to determine WHAT & WHY
- Based on the insights gathered, appropriate logical and technical controls can be defined to mitigate the identified threats within the acceptable levels of residual risk to determine HOW
In this series, we will explore how Guardium Data Protection portfolio is positioned to effectively manage data risks by allowing organizations to build actionable data-driven security architectures that can
analyze,
defend &
adapt to the dynamicity of Business & IT environments.
At this point, I leave you with a few basic questions to chew on: Do you (or your organization) clearly understand what data is being monitored & why? If yes, what dynamic controls are in place to protect them? If there was a data breach, who would the organizational culture blame? The CISO’s office, CRO/CCO’s office, data custodian or the LoB (line of business) that presumably owned but lost the data?.
Laters!